A Security Domain Access System (SDAS) provides highly available security domain data. The SDAS receives a request pertaining to a security domain. The request includes credentials for accessing a security domain manager server. The SDAS selects one of a plurality of security domain manager servers to process the request based on the credentials and the availability of each of the plurality of security domain manager servers. The SDAS forwards the request to the selected security domain manager server.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: receiving a request to change an availability of a public key infrastructure (PKI) subsystem of a plurality of subsystems providing PKI services, the request comprising credentials to access one or more of a plurality of domain managers managing the plurality of PKI subsystems; selecting, by a processing device, one of the plurality of domain managers to change the availability of the PKI subsystem of the plurality of PKI subsystems in view of the credentials and availability of the plurality of domain managers; and forwarding, by the processing device, the request to change the availability of the PKI subsystem of the plurality of PKI subsystems to the selected one of the plurality of domain managers.
2. The method of claim 1 , wherein selecting comprises: determining which of the plurality of domain managers servers correspond to the credentials in the request; identifying which of the plurality of domain managers that correspond to the credentials are available; and selecting one of the available domain managers.
3. The method of claim 1 , further comprising: storing, by the plurality of domain managers, security data for the plurality of PKI subsystems in a plurality of Lightweight Directory Access Protocol (LDAP)-based databases, wherein the security data is replicated amongst the LDAP-based databases in a replication domain when the security data is changed in at least one of the plurality of LDAP-based databases.
4. The method of claim 1 , wherein the change comprises adding a certificate subsystem server to the plurality of PKI subsystems.
5. The method of claim 4 , further comprising: adding, by the selected domain manager, an entry to an LDAP-based database that corresponds to the selected domain manager; and replicating, by the selected domain manager, the addition to a plurality of LDAP-based databases.
6. The method of claim 1 , wherein the change comprises removing a certificate subsystem server from the plurality of PKI subsystems.
7. The method of claim 6 , further comprising: removing, by the selected domain manager, an entry from an LDAP-based database that corresponds to the selected domain manager; and replicating, by the selected domain manager, the removal to a plurality of LDAP-based databases.
8. The method of claim 1 , wherein a request is to view a topology of the plurality of PKI subsystems.
9. The method of claim 1 , wherein the credentials comprise a user name and password to access one of the plurality of domain managers.
10. The method of claim 1 , wherein the plurality of domain managers comprises a plurality of certificate authority (CA) servers, the plurality of CA servers comprising at least one of a root CA server or a clone of the root CA server.
11. The method of claim 1 , wherein the plurality of PKI subsystems are grouped in a security domain.
12. The method of claim 1 , wherein the plurality of PKI subsystems comprises at least one of a Certificate Authority (CA) subsystem, a Key Recovery Authority (KRA) subsystem, an Online Certificate Status Responder (OCSP) subsystem, a Registration Authority (RA) subsystem, a Token Key Service (TKS) subsystem to format tokens, or a Token Processing System (TPS).
13. A non-transitory computer-readable storage medium including instructions that, when executed by a processing device, cause the processing device to perform operations comprising: receiving a request to change an availability of a public key infrastructure (PKI) subsystem of a plurality of subsystems providing PKI services, the request comprising credentials to access one or more of a plurality of domain managers managing the plurality of PKI subsystems; selecting one of the plurality of domain managers to change the availability of the PKI subsystem of the plurality of PKI subsystems in view of the credentials and availability of the plurality of domain managers; and forwarding the request to change the availability of the PKI subsystem of the plurality of PKI subsystems to the selected one of the plurality of domain managers.
14. The non-transitory computer-readable storage medium of claim 13 , wherein selecting comprises: determining which of the plurality of domain managers correspond to the credentials in the request; identifying which of the plurality of domain managers that correspond to the credentials are available; and selecting one of the available domain managers.
15. The non-transitory computer-readable storage medium of claim 13 , the operations further comprising: storing, by the plurality of domain managers, security data for the plurality of PKI subsystems in a plurality of Lightweight Directory Access Protocol (LDAP)-based databases, wherein the security data is replicated amongst the LDAP-based databases in a replication domain when the domain data is changed in at least one of the plurality of LDAP-based databases.
16. The non-transitory computer-readable storage medium of claim 13 , wherein the change comprises adding a certificate subsystem server to the plurality of PKI subsystems.
17. The non-transitory computer-readable storage medium of claim 16 , the operations further comprising: adding, by the selected domain manager, an entry to an LDAP-based database that corresponds to the selected domain manager; and replicating, by the selected domain manager, the addition to a plurality of LDAP-based databases.
18. The non-transitory computer-readable storage medium of claim 13 , wherein the change comprises removing a certificate subsystem server from the plurality of PKI subsystems.
19. The non-transitory computer-readable storage medium of claim 18 , the operations further comprising: removing, by the selected domain manager, an entry from an LDAP-based database that corresponds to the selected domain manager; and replicating, by the selected domain manager, the removal to a plurality of LDAP-based databases.
20. The non-transitory computer-readable storage medium of claim 13 , wherein the request is to view a topology of the plurality of PKI subsystems.
21. A system comprising: a plurality of persistent storage units to store security domain data describing an availability of a plurality of public key infrastructure (PKI) subsystems providing PKI services, wherein one or more of the plurality of persistent storage units store credentials to access one of a plurality of domain managers managing the plurality of PKI subsystems; and a domain manager selector, comprising a processing device, and operatively coupled to the one or more of the plurality of persistent storage units, the domain manager selector to select one of the plurality of domain managers to receive one or more requests to change the availability of a PKI subsystem of the PKI subsystems in view of the credentials and availability of the plurality of domain managers, change the availability of the PKI subsystem of the PKI subsystems, and replicate the change to the plurality of persistent storage units.
22. A networking device comprising: a persistent storage unit to store credentials to access one or more of a plurality of domain managers managing a plurality of public key infrastructure (PKI) subsystems providing PKI services; and a domain manager selector, comprising a processing device, coupled to the persistent storage unit to receive a request to change an availability of a PKI subsystem of the plurality of PKI subsystems, select one of the plurality of domain managers to change the availability of the PKI subsystem of the plurality of PKI subsystems in view of an availability of the domain managers, credentials in the request, and the credentials in the persistent storage unit, and forward the request to the selected domain manager.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
September 30, 2009
October 14, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.